use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class InMemoryAuthorizer method enforce.
@Override
public void enforce(EntityId entity, Principal principal, Set<Action> actions) throws UnauthorizedException {
// super users do not have any enforcement
if (superUsers.contains(principal) || superUsers.contains(allSuperUsers)) {
return;
}
// actions allowed for this principal
Set<Action> allowed = getActions(entity, principal);
if (allowed.containsAll(actions)) {
return;
}
Set<Action> allowedForRoles = new HashSet<>();
// actions allowed for any of the roles to which this principal belongs if its not a role
if (principal.getType() != Principal.PrincipalType.ROLE) {
for (Role role : getRoles(principal)) {
allowedForRoles.addAll(getActions(entity, role));
}
}
if (!allowedForRoles.containsAll(actions)) {
throw new UnauthorizedException(principal, Sets.difference(actions, allowed), entity);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DefaultAuthorizationEnforcerTest method testPropagationDisabled.
@Test
public void testPropagationDisabled() throws Exception {
CConfiguration cConfCopy = CConfiguration.copy(CCONF);
try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) {
DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator);
authorizerInstantiator.get().grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.ADMIN));
authorizationEnforcer.enforce(NS, ALICE, Action.ADMIN);
try {
authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN);
Assert.fail("Alice should not have ADMIN privilege on the APP.");
} catch (UnauthorizedException ignored) {
// expected
}
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class DefaultAuthorizationEnforcerTest method testAuthEnforce.
@Test
public void testAuthEnforce() throws Exception {
try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) {
Authorizer authorizer = authorizerInstantiator.get();
DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
// update privileges for alice. Currently alice has not been granted any privileges.
assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.ADMIN);
// grant some test privileges
DatasetId ds = NS.dataset("ds");
authorizer.grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
authorizer.grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(Action.ADMIN));
// auth enforcement for alice should succeed on ns for actions read and write
authEnforcementService.enforce(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
assertAuthorizationFailure(authEnforcementService, NS, ALICE, EnumSet.allOf(Action.class));
// alice do not have READ or WRITE on the dataset, so authorization should fail
assertAuthorizationFailure(authEnforcementService, ds, ALICE, Action.READ);
assertAuthorizationFailure(authEnforcementService, ds, ALICE, Action.WRITE);
// Alice doesn't have Admin right on NS, hence should fail.
assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.ADMIN);
// bob enforcement should succeed since we grant him admin privilege
authEnforcementService.enforce(ds, BOB, Action.ADMIN);
// revoke all of alice's privileges
authorizer.revoke(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.READ));
try {
authEnforcementService.enforce(NS, ALICE, Action.READ);
Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", ALICE, Action.READ, NS));
} catch (UnauthorizedException ignored) {
// expected
}
authorizer.revoke(Authorizable.fromEntityId(NS));
assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.READ);
assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.WRITE);
authEnforcementService.enforce(ds, BOB, Action.ADMIN);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class AbstractAuthorizationEnforcer method enforce.
@Override
public void enforce(EntityId entity, Principal principal, Set<Action> actions) throws Exception {
if (!isSecurityAuthorizationEnabled()) {
return;
}
Set<Action> disallowed = EnumSet.noneOf(Action.class);
UnauthorizedException unauthorizedException = new UnauthorizedException(principal, entity);
for (Action action : actions) {
try {
enforce(entity, principal, action);
} catch (UnauthorizedException e) {
disallowed.add(action);
unauthorizedException.addSuppressed(e);
}
}
if (!disallowed.isEmpty()) {
throw new UnauthorizedException(principal, disallowed, entity, unauthorizedException);
}
}
use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.
the class RemoteAuthorizationEnforcer method enforce.
@Override
public void enforce(EntityId entity, Principal principal, Action action) throws Exception {
if (!isSecurityAuthorizationEnabled()) {
return;
}
AuthorizationPrivilege authorizationPrivilege = new AuthorizationPrivilege(principal, entity, action);
boolean allowed = cacheEnabled ? authPolicyCache.get(authorizationPrivilege) : doEnforce(authorizationPrivilege);
if (!allowed) {
throw new UnauthorizedException(principal, action, entity);
}
}
Aggregations